1. Technical Field
Example embodiments of the present invention relate in general to a source authentication method and apparatus in a multicast environment and more specifically to a source authentication method and apparatus which may use a single-buffered hash in an issuer/subscriber environment using a multicast transmission scheme.
2. Related Art
In recent years, due to devices that provide high-performance and convenient network functions such as personal computers (PCs), portable terminals, and the like, demands for a variety of distribution services using a distributed middleware such as Common Object Request Broker Architecture (CORBA) or Data Distribution Service (DDS) have increased.
However, in this environment, a simple structure in which a system is classified according to an issuer and a subscriber, data of the issuer himself or herself is publicized, and the subscriber requests data from the issuer for providing the subscriber's desired information according to the publicized data to thereby provide services for the request has been used.
Accordingly, in addition to integrity for ensuring that the transmitted data has not been changed in the middle, source authentication as to whether the transmitted data has been transmitted from a proper issuer is necessarily required.
That is, a means for preventing packet re-transmission or preventing false information caused by a malicious subscriber impersonating the issuer from being transmitted to other subscribers is needed.
For the above-described source authentication, the issuer uses methods such as a method that uses electronic signatures or a method that uses a one-way hash after time synchronization or a hash chain for packets before and after.
However, these methods have limitations for the following reasons.
1) In the method of using the electronic signatures, the issuer adds an electronic signature using his or her own private keys to each packet to be transmitted, and the subscribers confirm the signature using a public key of the issuer to thereby verify each packet. In the case of the method of using the electronic signature, the issuer and the subscriber have to operate based on authentication, and therefore there is a problem that time and calculation loads may be generated compared to the method using the hash.
2) In the method that uses the one-way hash after time synchronization, the issuer and the subscriber synchronize time, and then classify the time at regular intervals. Thereafter, a message authentication code (MAC) is generated using a unique secret key for each time interval, and the generated MAC is added to the packet. These secret keys are calculated using a one-way hash function. Here, a predetermined number m of secret keys are generated in advance and used in the reverse order. That is, a key value K1 is publicized to all subscribers using a key value of k1=F(k2) for a time t1 and using a key value of k2=F(k3) for a time t2.
For this, the issuer determines an mth key value of km, calculates the key value in the order of km−1, . . . , k2, k1, k0, and then publicizes a value of k0 to each subscriber. In this manner, when an MAC of a packet is calculated using k1 during the time t1 to thereby be transmitted, the subscribers are unable to know a value of k1 before the time t2, and therefore a malicious subscriber is prevented from impersonating the issuer, and thereby source authentication is made possible.
However, in this method, subscribers should buffer all packets transmitted during a specific time t1, so that the packets buffered during the previous time can be authenticated using k1 that is to be publicized during the next time t2. That is, there is a problem that authentication delay occurs by an amount of a time period. In addition, there is a problem that the issuer and the subscriber have to synchronize time in order to use this method.
3) In the method that uses the hash chain, a hash value for a data integrity test is used to calculate a hash value of the previous or the next packet. That is, when P denotes a packet, M denotes a message, H(M) denotes a hash value for M, and H(P) denotes a hash value for P, P1=M1+H(M1), P2=M2+H(P1), and P3=M3+H(P2) are calculated in a method that uses the previous packet, and the final packet Pm=Sign(H(Pm−1)) is transmitted by electronically signing a hash value of the previous packet. A method that uses the next packet performs this in the reverse order. However, since, in the method that uses the hash chain, all data to be transmitted should be buffered by the issuer or the subscriber, and then source authentication is made possible, there is a problem that the method is difficult to use as a real-time authentication method. That is, there are problems that a packet of Pm−1 can be authenticated using a value of H(Pm−1) after the packets from P1 to Pm arrive at the subscriber, and the previous packet can be verified using a value of H(Pm−2) of the previous packet included in the packet of Pm−1 after integrity of the packet of Pm−1 is ensured.